Sourcing LinuxSourcing Linux

Say what you will about SCO Group's allegations of source-code misappropriation (certainly, much of what has been said couldn't be printed here), the controversy raises questions about how open-source software gets assembled. While the community approach to open-source development undoubtedly leads to innovation and quality software, the process lacks some of the controls used in commercial software environments. If Linux is to keep growing, does the freewheeling network that creates it need to change? Some experts say it must.

SCO Group, with its $3 billion intellectual-property lawsuit against IBM and threat of legal action against users running the Linux operating system, started the debate over the operating system's lineage, but the intellectual-property issues facing Linux may not go away even if that case does. SCO officials say other Unix vendors have inappropriately contributed SCO's code to Linux, too. And Microsoft chairman and chief software architect Bill Gates, in a recent meeting with financial analysts, suggested the problem is even wider. "There's no question that, particularly in some of the more cloning-type activities, intellectual property from many, many companies, including Microsoft, is being used in open-source software," Gates said.

Uncertainty over the integrity of Linux code has led some IT analysts to warn companies to proceed with caution, and the discomfort level is rising among business-technology managers who have bet on the platform. "Something definitely needs to be done [differently]," says the CIO of a large company that has deployed hundreds of Linux servers.

Some Linux developers acknowledge they need to do a better job of proving that the code they submit for inclusion in Linux, under the General Public License, is squeaky clean. "There's no doubt about it. There needs to be more thought put into validating where a particular code contribution comes from," says Ian Murdock, founder of the no-cost Debian version of Linux and co-founder of Linux distributor Progeny Linux Systems.

Not everyone agrees that the open-source model needs fixing. "Nothing about SCO's case against IBM tells us that our system has failed us," says Mark Webbink, general counsel for leading Linux distributor Red Hat Inc. Adds Stuart Cohen, CEO of the Open Source Development Lab, which is creating Linux-based software stacks for data-center workloads, there's "a very structured process for getting code into the kernel."

The development lab gets its funding from Hewlett-Packard, IBM, Intel, and other computing companies that back Linux. Among the checks and balances in place, Cohen says, are that code contributions must pass muster with Linus Torvalds--the Linux founder who recently went to work for the lab--as well as with Andrew Morton, who maintains the Linux kernel, and end users. Corporate members generally run potential contributions past their legal departments.

Holger Dyroff, director of sales with distributor SuSE Linux AG, says the very openness of open source makes it easy for an individual or a company to check if there's any concern over potential intellectual-property violations.

But the system isn't foolproof, and Torvalds doesn't want open-source developers doing intellectual-property legwork. "It is not engineers who should look up patents, it is patent lawyers," he wrote via E-mail in response to a question. "Having engineers try to look up patents only taints them and opens them up for willful infringement." Torvalds wrote that lawyers employed by the development lab's member companies should be the ones to watch for any problems.

A degree of uncertainty is inevitable with open-source software, says Stuart Meyer, a partner in the intellectual-property and litigation groups at law firm Fenwick & West LLP. But open-source developers could reduce uncertainty by being more "cognizant" of patent and intellectual-property issues and reviewing their work to ensure that it doesn't violate someone else's rights. "Some people are being ostriches and not doing this review," he says. "Others are working on it extensively." At the same time that open-source developers are being forced to ponder those issues, companies using open-source products may be reassessing their legal exposure. The implicit warning to Linux users when SCO recently offered to "hold harmless" companies that sign its Unix license--the terms have yet to be disclosed--is that businesses that don't sign are considered liable. In addition to code copying, SCO says some derivative works, contributed by IBM and others, violate its license agreements. IBM has denied any wrongdoing.

While software contracts sometimes include indemnification clauses that shield customers from potential legal action, such clauses are uncommon with Linux. That, too, must change, say some observers. "Indemnification should not be limited to a particular operating system or software environment," Yankee Group analyst Laura DiDio says.

Roger Gariepy, chief technologist and architect with Air Products and Chemicals Inc., which is testing a Linux cluster, calls legal protection "a significant item for the open-source community to try to figure out."

Some potential problems do get screened before they surface in business environments. Red Hat stopped shipping an MP3 decoder with its operating system last year because of patent concerns. And commercial software companies aren't immune to intellectual-property claims--Microsoft last week forked over $26 million in licensing fees to settle a patent suit by Immersion Corp.

New tools could help prevent code from being illegally copied. For example, digital-rights-management technology might be applied to software-development processes, says Microsoft senior VP Eric Rudder. "There are probably some very interesting things for us to think about in how developers protect models, chunks of code, or specs," he says.

But before change comes to the open-source process, more participants will have to be convinced it's needed. "The open-source model doesn't have to change for corporate users," argues Scott McNeil, executive director of the Free Standards Group, a nonprofit organization that develops standards for the Linux operating system.

If anything, business-technology managers accustomed to dealing with commercial software companies need to adjust their thinking, says Mike Balma, HP's Linux business strategist. "Linux has different risks than a proprietary environment," Balma says. "If a company isn't willing to accept the risks, they have different options."

That includes paying SCO for its Unix license. Privately held agribusiness J.R. Simplot runs a combination of Linux and Windows operating systems on HP ProLiant servers in its data center. "If there winds up being some decree, and we have to pay $1,000 a pop for our Linux licenses, we'd pay it," says J.R. Simplot technology analyst Tony Adams. Linux is "worth something to us."